Cloud computing platform that isolates suspicious third-party code in a distributed cloud computing network

ABSTRACT

A worker process monitors a behavior of a third-party code piece executing in a first isolated execution environment of a plurality of isolated execution environments of a first process in a first compute server. When the behavior of the executing third-party code piece is indicative of a potential speculative execution attack, the third-party code piece is flagged. When a subsequent request is received that triggers execution of the flagged third-party code piece, the worker process generates a private process in the first compute server, separate from the first process, and instantiates a single isolated execution environment within the second process for executing the third-party code piece. The work process loads the third-party code piece in the single isolated execution environment and the second process executes the third-party code piece.

FIELD

Embodiments of the invention relate to the field of network computing; and more specifically, to a cloud computing platform that isolates suspicious third-party code in a distributed cloud computing network.

BACKGROUND

Historically, web application code has been split between origin servers and browsers that are connected by a network that transmits data from point to point. Many large websites were first run on large physical mainframe servers that could handle large traffic and large data. Over time a switch was made to run websites on tens to hundreds of commodity servers that allowed for a reduction in cost, more fault tolerance, and increased performance. The next switch was using virtual machines where one physical machine could be split into multiple virtual machines that can be independently managed. However, virtual machines typically have a high cost. For instance, each virtual machine is typically allocated hundreds of megabytes of RAM and typically takes tens of seconds to boot. Containers can be used to further provide isolation and are less resource intensive than virtual machines. But web application code running in a container typically is run in its own OS-level process, consuming RAM and inducing context-switching overhead. Also, while native code can load quickly in a container, many server-oriented language environments are not optimized for startup time.

Some cloud computing platform process spin up a containerized process for your code and auto-scales the process which creates cold-starts. A cold start occurs when a new copy of the code starts on a machine. A new containerized process is begun which can take between hundreds of milliseconds to multiple seconds (e.g., between 500 ms to 10 seconds). This means that any request may be hanging for as much time as it takes to begin the new containerized process (e.g., as much as ten seconds). Also, this containerized process can only process a single request at a time and a new containerized process must be cold-started each time an additional concurrent request is received. This means that a laggy request can happen over and over. Also, if the containerized process does not receive a request to process within a certain amount of time, it will automatically shut down and will need to be cold started again once the request is received. When new code is deployed, this entire process proceeds again as each containerized process needs to be spun up anew.

One of the key features of an operating system is the ability to run many processes at once. The operating system transparently switches between the various processes that want to run code at any given time. The operating system accomplishes this through a context switch that moves the memory required for one process out and the memory required for the next process in. A context switch can take as much as 100 microseconds. When multiplied by all the processes running on the average cloud computing platform server creates a heavy overhead. This means that not all the CPU's power can be devoted to actually executing the customer code, but rather some is spent switching between the processes.

Most computing platforms are meant to be run by individual customers on their own servers. They are not intended to be run in a multi-tenant environment, executing code of other customers. Memory is often the highest cost of running a customer's code (even higher than the CPU cost).

Building and maintaining applications that easily scale to support spikes in demand or a global user base has generally required a large amount of both upfront engineering work and ongoing operational support. Developers are forced to spend significant time on writing supporting code rather than building the application itself. Many cloud computing platforms require the developer to specify where the code should run (e.g., at which nodes of the cloud computing platform), often with a small number of nodes that can be selected.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:

FIG. 1 illustrates an exemplary embodiment of a cloud computing platform that executes third-party code in a distributed cloud computing network and mitigates against a potential speculative execution attack according to an embodiment.

FIG. 2 illustrates an example of a compute server according to an embodiment.

FIG. 3 is a flow diagram that illustrates exemplary operations for executing third-party code in a distributed cloud computing network according to an embodiment.

FIG. 4 is a flow diagram that illustrates exemplary operations for monitoring third-party code executing in a distributed cloud computing network according to an embodiment.

FIG. 5 is a flow diagram that illustrates exemplary operations for executing third-party code in a distributed cloud computing network according to an embodiment.

FIG. 6 is a flow diagram that illustrates exemplary operations for executing third-party code in a private process in a distributed cloud computing network according to an embodiment.

FIG. 7 is a conceptual figure that shows a conceptual relationship between third-party code and the process overhead of the isolated execution environment model that is described in embodiments.

FIG. 8 is a conceptual figure that shows a conceptual relationship between code and the process overhead of a virtual machine model.

FIG. 9 illustrates a block diagram for an exemplary data processing system that may be used in some embodiments.

DESCRIPTION OF EMBODIMENTS

A method and apparatus for a cloud computing platform that isolates suspicious third-party code in a distributed cloud computing network is described. The distributed cloud computing network includes multiple compute servers that are geographically distributed (e.g., in different locations throughout the world). There may be hundreds of compute servers that are geographically distributed in different points-of-presences (PoPs). Each PoP may include one or more physical servers (e.g., one or more compute servers, one or more control servers, one or more DNS servers (e.g., one or more authoritative name servers, one or more proxy DNS servers), and one or more other pieces of network equipment such as router(s), switch(es), and/or hub(s)). Each PoP may be part of a different data center and/or colocation site. The distributed cloud computing network may provide different services for customers (e.g., domain owners or operators) such as protecting against internet-based threats, performance services (e.g., acting as a content delivery network (CDN) and dynamically caching customer's files closer to visitors, page acceleration/optimization), TCP stack optimizations, and/or other services.

Third-party code (e.g., written by or deployed by third parties such as customers) can be deployed to all or some of the compute servers of the distributed cloud computing network. The third-party code can be, for example, a piece of JavaScript or other dynamically-typed language, a WebAssembly (WASM) compiled piece of code, or other compiled code. In an embodiment, the third-party code is compliant with the W3C standard ServiceWorker API. The third-party code can, for example, intercept and answer HTTP requests and make outgoing HTTP subrequests as part of answering an HTTP request. For purposes of this description, each piece of third-party code is referred to as a worker script and an executed instance of the worker script is referred to as a worker. Although many workers are third-party code, there may also be first-party workers that are written and/or deployed by the service providing the cloud computing platform.

A worker script of a particular third-party is run in an execution environment in which a single process can run third-party code. The process can contain multiple execution environments at the same time and the process can seamlessly switch between them. Code in one execution environment cannot interfere with code running in a different execution environment despite being in the same process. The execution environments are managed in user-space rather than by an operating system. Each execution environment uses its own mechanism to ensure safe memory access, such as preventing the code from requesting access to arbitrary memory (restricting its use to the objects it has been given) and/or interpreting pointers within a private address space that is a subset of an overall address space. This execution environment is not a container or virtual machine. For purposes of description, this type of execution environment is sometimes referred herein as an isolated execution environment. In a specific implementation, the worker script is run in an isolate of the V8 JavaScript engine.

Because a single process can run multiple isolated execution environments, the overhead of running the isolated execution environments is occurred once (e.g., starting the single process to run the isolated execution environments) and isolated execution environments can be started and run with very little individual overhead. The worker scripts are not executed using a virtual machine or a container. Unlike other cloud computing platforms that spin up a containerized process for processing code that can take as much as ten seconds, an isolated execution environment can be started in as little as 5 ms because a new process does not need to be started (assuming the single process that runs the isolated execution environments is started). Also, since the worker scripts can be run in a single process, there are no expensive context switches like experienced with other cloud computing platforms which means that more time is spent running the code instead of performing context switches. Also, because the implementations of the single process are shared between all isolated execution environments, the memory requirements are less than traditional cloud computing platforms.

In an embodiment, a particular worker script is loaded and executed on-demand (when and only if it is needed) at a particular compute server of the distributed cloud computing network. Each request for a domain that triggers handling of a worker script will be handed by the worker at the compute server that is closest to the requesting user. For instance, when responding to a user in New Zealand, a worker script is run in a compute server in New Zealand that is closest to the user. The compute server that receives the request may be determined by the network infrastructure according to an Anycast implementation or by a geographical load balancer.

However, third-party code written by or deployed by third parties may be malicious code to perform speculative execution attacks. Speculative execution is a technique employed by computer systems that perform branch prediction to improve response time by performing tasks before the computer system knows whether the tasks are actually required. If the task is required, the computer system has already performed the task and can quickly provide the response. If the task is not required, the result of the task can be ignored and eventually discarded. When the task involves accessing private or secure data, the result can include data revealing private data. In a speculative execution attack, an attacker can request the execution of code that exploits the speculative execution to cause the computer system to perform memory accesses to locations storing private or sensitive data. While the computer system is executing tasks with results that are ultimately discarded, an attacker can recover the private data contained in the results through various means, including by timing accesses to memory.

In one solution, timers or concurrency are excluded from a cloud computing platform, preventing an attacker from locally measuring the execution speed of the third-party code. A date function call (e.g., Date.now( )) can typically be used to return the current time. To combat speculative execution attacks, such function calls can be suspended during code execution so if the Date.now( ) function is called before and after executing a request that includes third-party code, the same value (e.g., the time when the request was received) is returned.

Concurrency can also typically be used to create implicit timers. For example, by performing a task at the same time as running code in order to compare the task's runtime vs. the code execution time. To address this issue, allowing multiple tasks to execute concurrently can be suspended, such that each request is performed serially (e.g., performed in a strict order using a single CPU core). Thus, if a worker calls another worker on the same machine, the callee worker may be prevented from running concurrently with the caller worker.

The limiting of access to timers and/or concurrency makes a speculative execution attack much longer to carry out. For example, instead of having access to local timing, the attack would need to use remote timing. For example, a client of a malicious user can send a request to the third-party code piece and calculate how long until a reply is received. Of course, the request and reply is over the internet so there is a certain amount of noise that is introduced into the timing. A successful speculative execution attack needs to amplify itself until the point where the difference between a one bit and a zero bit is larger than the noise window. This noise therefore lowers the bandwidth of the attack and slows the attack down. The slowing down of the attack may allow for further mitigation techniques described herein such as determining whether a third-party code piece exhibits behaviors indicative of a potential speculative execution attack code, and if so, isolating the execution of that third-party code piece in a sandboxed process.

In an embodiment, third-party code is executed in a sandboxed process in response to determining that the third-party code exhibits behaviors indicative of a potential speculative execution attack. In an embodiment, this determination is based on monitoring the behavior of a third-party code piece running in a first isolated execution environment of a plurality of isolated execution environments of a first process. In response to determining that the behavior of the executing third-party code is indicative of a potential speculative execution attack, a monitor can set a flag or indicator. When the computer system receives a subsequent request that triggers execution of the third-party code piece whose behavior has been determined to be indicative of the potential speculative execution attack, the computer system generates a second process and reschedules the request to be executed by the second process instead of the first process. An isolated execution environment is instantiated in the second process and the third-party code is loaded into the isolated execution environment of the second process. The third-party code can then be executed within the isolated execution environment of the second process. The second process can be a child process of the first process and be configured only to execute the specific third-party code indicated as exhibiting behavior indicative of a potential speculative execution attack. The second process may be on the same physical machine as the first process, or in some cases, may be on a different physical machine as the first process. Further, the second process can be prevented from interacting with any other process or storage within the system with the exception of the first process. By way of example, if the executing third-party code piece in the second process makes a subrequest, the subrequest is transmitted to the first process (e.g., the parent process).

The operating system of the compute server may have further speculative execution attack mitigations that can be used concurrently with the mitigations described herein. The speculative execution attack mitigation techniques offered by the operating system of the compute server may be designed to prevent speculative execution attacks between processes. The operating system mitigation techniques may not, however, prevent such a speculative execution attack within a single process. By moving a potential speculative execution attack to a single isolated process (e.g., the second process), the speculative execution attacks may be prevented across processes (e.g., using techniques provided by the operating system) and any data that is leaked within the single isolated process will be data from that single isolated process and not from the address space of a different process.

There is a chance of a false positive when detecting that a third-party code piece is part of a potential speculative execution attack (e.g., a legitimate third-party code piece is detected as being part of a potential speculative execution attack). However, the workers (including the worker whose behavior is indicative of a potential speculative execution attack) are stateless in an embodiment. This allows the workers to be moved and isolated into a separate process (or to another machine) and lets them run in the same manner as if they were not rescheduled. Thus, even if a legitimate third-party code piece is flagged as potentially suspicious and moved to its own private process, the legitimate third-party code piece will still continue to execute without significantly impacting its performance, while malicious third-party code pieces that are flagged as potentially suspicious will be isolated from the other third-party code pieces thereby mitigating speculative execution attacks.

FIG. 1 illustrates an exemplary embodiment of a cloud computing platform that executes third-party code in a distributed cloud computing network according to an embodiment and mitigates against a potential speculative execution attack. The cloud computing platform provides different services such as protecting against internet-based threats, providing performance services for customers (e.g., acting as a content delivery network (CDN) and dynamically caching customer's files close to visitors, page acceleration, etc.), TCP stack optimizations, and/or other services. The system 100 includes the client devices 110A-N, the compute servers 120A-N, the control server 130, the origin server 140, and the customer device 150.

Each client device is a computing device (e.g., laptop, workstation, smartphone, mobile phone, tablet, gaming system, set top box, wearable device, Internet of Things (IoT) device, etc.) that is capable of transmitting and/or receiving network traffic. Each client device may execute a client network application such as a web browser, native application, or other application that can access network resources (e.g., web pages, images, word processing documents, PDF files, movie files, music files, or other computer files).

The compute servers 120A-N are part of the cloud computing platform. The compute servers 120A-N are physical servers and are geographically distributed (e.g., in different locations throughout the world). The compute servers 120A-N are part of the distributed cloud computing network 105. There may be hundreds of compute servers as part of the cloud computing platform. Although not illustrated in FIG. 1, the compute servers 120A-N may be part of PoPs that may include other physical servers (e.g., one or more compute servers, one or more control servers, one or more DNS servers (e.g., one or more authoritative name servers, one or more proxy DNS servers), and one or more other pieces of network equipment such as router(s), switch(es), and/or hub(s)). Each PoP (and each compute server) may be part of a different data center and/or colocation site. Although not illustrated in FIG. 1, there are other physical devices between the compute servers 120A-N such as routers, switches, etc.

The control server 130 is operated by the cloud computing platform and provides a set of tools and interfaces for a customer to, among other things, configure code to run in the cloud computing platform. For instance, the control server 130 may allow the customer to upload one or more worker scripts and may allow the customer to specify when the worker script(s) are to be run. For instance, the customer may associate a rule that indicates when a worker script is to be run. By way of example, the control server 130 may allow the customer to configure a URL matching pattern that indicates the URL(s) for which the worker script is to run. The control server 130 may allow the customer to delete and update previously uploaded worker script(s).

The control server 130 deploys each worker script to each of the compute servers 120A-N automatically (without the customer selecting which of the compute servers 120A-N in which to deploy the worker script). In another embodiment, the control server 130 allows the customer to indicate which of the compute servers 120A-N are to be deployed a particular worker script. The control server 130 creates an identifier for each unique worker script. In an embodiment, the identifier is created by hashing the content of the worker script (e.g., using a cryptographic hash function such as SHA-256), where two scripts with identical content will have the same identifier even if uploaded by different customers and even if applied to different zones.

In an embodiment, the control server 130 allows a customer to provision the service to the cloud computing platform through DNS. For example, DNS record(s) of a customer are changed such that DNS records of hostnames point to an IP address of a compute server instead of the origin server. In some embodiments, the authoritative name server of the customer's domain is changed to an authoritative name server of the service and/or individual DNS records are changed to point to the compute server (or point to other domain(s) that point to a compute server of the service). For example, the customers may change their DNS records to point to a CNAME record that points to a compute server of the service. In one embodiment, customers may use the control server 130 to change their authoritative name server to an authoritative name server of the cloud computing platform and/or change their zone file records to have their domain point to the compute servers.

The third-party device 150 is a computing device (e.g., laptop, workstation, smartphone, mobile phone, tablet, etc.) that is used by third parties to, among other things, configure their third-party code to run in the cloud computing platform. A third-party may be a customer of the cloud computing platform and/or a party that is configuring third-party code to run in the cloud computing platform.

The origin server 140, which may be owned or operated directly or indirectly by the customer of the cloud computing platform, is a computing device on which a network resource resides and/or originates (e.g., web pages, images, word processing documents, PDF files movie files, music files, or other computer files). In an embodiment, the origin server 140 is not required to be in the cloud computing platform (e.g., third-party code may run on the compute servers without communicating with an origin server). Although FIG. 1 illustrates the origin server 140 communicating with the compute server 120A, the origin server 140 may also communicate with one or more of the other compute servers 120B-N.

The compute servers 120A-N are geographically distributed which decreases the distance between requesting client devices and the compute servers and decreases the time necessary to respond to a request. The compute servers 120A-N may operate as a reverse proxy and receive request for network resources (e.g., HTTP requests) of a domain of the origin server 140. The particular compute server 120 that receives a request from a client device may be determined by the network infrastructure according to an Anycast implementation or by a geographical load balancer. For instance, the compute servers 120A-N may have a same anycast IP address for a domain of the origin server 140. If the origin server 140 handles the domain “example.com”, a DNS request for “example.com” returns an address record having the anycast IP address of the compute servers 120A-N. Which one of the compute servers 120A-N receives a request from a client device depends on which compute server 120 is closest to the client device in terms of routing protocol configuration (e.g., Border Gateway Protocol (BGP) configuration) according to an anycast implementation as determined by the network infrastructure (e.g., router(s), switch(es), and/or other network equipment between the requesting client and the compute servers 120A-N. By way of example, the client device 110A is closest to the compute server 120A, the client device 110B is closest to the compute server 120B, and the client device 110L is closest to the compute server 120N. Accordingly, requests from the client device 110A are received at the compute server 120A, requests from the client device 110B are received at the compute server 120B, and requests from the client device 110L are received at the compute server 120N. In some embodiments, instead of using an anycast mechanism, a geographical load balancer is used to route traffic to the nearest compute server. The number of client devices and compute servers illustrated in FIG. 1 is exemplary. The distributed cloud computing network 105 may include hundreds to thousands (or more) compute servers and each compute server may receive requests from thousands or more client devices.

In the example of FIG. 1, each of the compute servers 120A-N can execute the worker script(s) of a third-party. Each worker script is run in an isolated execution environment, such as run in an isolate of the V8 JavaScript engine. Thus, as illustrated in FIG. 1, the compute server 120A includes the isolated execution environments 130A-N that each executes a separate worker script 135. The isolated execution environment 130A-N are run within a single process. The worker scripts are not executed using a virtual machine or a container. In an embodiment, a particular worker script is loaded and executed on-demand (when and only if it is needed) at a particular compute server of the distributed cloud computing network. Each request for a domain that triggers handling of a worker script will be handed by the worker at the compute server that is closest to the requesting user.

When a worker script is determined to exhibit behavior indicative of a potential speculative execution attack, a separate isolated execution environment (e.g., the isolated execution environment 130Z) can be generated in a sandboxed process to execute the suspicious worker script. In the example of FIG. 1, when a worker script (e.g., the worker script 135) is determined to exhibit behavior indicative of a potential speculative execution attack, the worker script 135 can be moved or rescheduled to the isolated execution environment 130Z. The suspicious worker script 137 is a worker script 135 that has been moved or rescheduled to the isolated execution environment 130Z. The content of the suspicious worker script 137 may be the same as the content as the worker script 135.

FIG. 2 illustrates an example of a compute server 120 according to an embodiment. The compute server 120A includes a gateway 210, a worker process 215, a cache 220, a data store 240, and a private process 245. The gateway 210 receives web requests and processes web responses (e.g., HTTP requests and HTTP responses). The gateway 210 may be acting as a reverse proxy for the origin server 140. The gateway 210 has access to the cache 220 that is configured to cache network resources (e.g., web pages, images, word processing documents, PDF files movie files, music files, or other computer files), configuration files, scripts, and/or other computer files. The data store 240 is configured to store, among other items, the worker scripts that are received from the control server 130, the URL matching pattern rule that indicates the URL(s) for which the worker script is to run, and a worker script mapping that maps worker script identifiers to URL matching patterns.

The worker process 215 is a single process that executes the isolated execution environments 130A-N. There may be hundreds to thousands of isolated execution environments that are run simultaneously by the worker process 215. Each different worker script 135 is run by a different one of the isolated execution environments 130A-N each with its own heap. The worker process 215 starts an isolated execution environment to load a particular worker script on the first use of the worker script. Depending on the complexity of the worker script, loading the worker script may take approximately tens to hundreds of milliseconds of CPU time. A worker script says loaded in memory between requests so that the worker script can be used to respond quickly when a new request that triggers that worker script arrives. Handling a single request for a worker script that is already loaded typically takes a fraction of a millisecond of CPU time depending on the complexity of the worker script. In an embodiment, one isolated execution environment is created per unique worker script identifier. Thus, if many zones use identical worker scripts, memory is saved by compiling the script only once. The worker process 215 evicts worker scripts (e.g., in a least recently used fashion). The worker process 215 may be started during booting of the compute server 120A or when the first worker script is triggered for execution.

The gateway 210 receives a request from the client device 110A. The request may be an HTTP request for a zone of the customer. The gateway 210 processes the request including determining whether the request triggers executing of a worker script. For instance, the gateway 210 analyzes the request URL against the URL matching pattern configured for the zone to determine if a worker script is to be executed. If a worker script is to be executed, the gateway 210 annotates the request with the identifier of the worker script to be executed as determined by the script mapping table and forwards the request to the worker process 215. If the identified worker script is already loaded (if there is already an isolated execution environment running an instance of the worker script), the worker process 215 does not need to load another instance of the worker script. However, if the identified worker script that is already loaded is from a different zone (which is probably from a different customer), the worker process 215 creates a separate context (a global object) for the worker script so that each zone has its own isolated global state. That prevents zones from interfering with the state of other zones. The gateway 210 generates the response after the worker script(s) are executed. If the identified worker script is not loaded, the worker process 215 creates an isolated execution environment and loads and executes the worker script.

The executed worker script can take various actions depending on how the script is written. The worker script may make one or more further requests (referred herein as “subrequests”) such as additional HTTP requests. These subrequests may be destined for the origin server 140 or to other destinations on the internet. The worker process 215 sends the subrequests back to the gateway 210 for further processing. The gateway 210 is configured to prevent the subrequest from looping back to the same worker script. But, the subrequest may trigger a different worker script potentially from a different zone. If the subrequest is to the same zone, the gateway 210 transmits the subrequest to the origin server 140 for processing and receives the response from the origin server 140. If the subrequest triggers a worker script, the gateway 210 annotates the request with the identifier of the worker script to be executed as determined by the script mapping table and forwards the request to the worker process 215 for executing the script.

Thus, a single request can trigger multiple worker scripts, even from different zones from different customers, to be run. Since the worker scripts are run on the same physical compute server, network latency to execute these scripts reduces to zero. Further, there is savings in bandwidth because the different origin zones may not need to be contacted. To provide an example, say a customer has a service where a user can make a purchase by an SMS message. The user sends an SMS message to make the purchase where the SMS message is handled by an API of a first third-party provider that generates an event to a function. That function invokes a payment API of a second third-party provider to charge the user's credit card, which generates an invoice event that is handled by a function to email the invoice to the user. Each of these transactions involve potentially crossing the internet, incurring latency and bandwidth charges. In contrast, with embodiments described herein, the API of the first third-party provider and the API of the second third-party provider can be implemented as worker scripts and executed on the same physical compute server, reducing latency and bandwidth.

The worker scripts can perform many different actions. By way of example, the worker scripts may perform one or more of the following: intercept and modify HTTP request and response URLs, status, headers, and body content; respond to requests directly from the worker script or forward the request elsewhere; send HTTP requests to third-party servers; send multiple requests, in serial or in parallel, and use the responses to compose a final response to the original request; send asynchronous requests after the response has already been returned to the client (for example, for logging or analytics); and control behavior such as caching behavior. A customer may perform one or more of these actions to do the following, for example: perform A/B testing between two different back-ends; build “serverless” applications that rely entirely on web APIs; create custom security filters to block unwanted traffic; rewrite requests to improve cache hit rate; implement custom load balancing and failover logic; and/or collecting analytics without running code in the user's browser. Of course, these are just examples and the worker scripts can be used to perform other actions.

The worker process 215 also has a monitor 225 configured to monitor the execution of each worker script in each of the isolated execution environments 130A-N. For example, the monitor 225 determines whether the behavior of an executing worker script is indicative of a potential speculative execution attack. Behaviors indicative of a potential speculative execution attack can include a worker script exhibiting a high cache miss rate (e.g., a cache miss rate higher than an established or defined threshold value), a worker script utilizing a large amount of CPU time for each request triggering execution of the worker script (e.g., an amount of CPU time exceeding an established or defined threshold value), etc. In response to the monitor 225 detecting behaviors indicative of a potential speculative execution attack, the worker process 215 can transfer or reschedule the suspect worker script from the worker process 215 to a private process (e.g., private process 245). In an embodiment, the execution of the worker script for any current requests are completed by the worker process 215, and subsequent requests triggering the execution of the worker script are performed by the worker script in the private process 245. In another embodiment, after the monitor 225 detects the behaviors indicative of a potential speculative execution attack, any current requests causing execution of the worker script are sent or rescheduled to the private process 245 for completion.

The private process 245 is a single process that executes an isolated execution environment 130Z. In an embodiment, the private process 245 includes only a single isolated execution environment 130Z for running a single worker script. The private process 245 instantiates the isolated execution environment 130Z to load a particular worker script in response to instructions from the worker process 215. For example, the worker process 215 moves a worker script 135 that it has determined to have behavior indicative of a potential speculative execution attack to the private process 245. The suspicious worker script 137 is a worker script 135 that has been rescheduled from the worker process 215 to the private process 245 for execution. The suspicious worker script 137 may have the same content as the content of the worker script 135. The private process 245 may be a sandbox configured to only execute the third-party code piece. In a case where the private process 245 is sandboxed, any subrequests generated by the worker script in the private process 245 are directed back to the worker process 215 to prevent the private process 245 from interacting with any other process or storage within the system. The worker process 215 can then transmit the subrequest to the gateway 210 on behalf of the private process 245.

In an embodiment, the private process 245 is generated on-demand and persists within the compute server 120A until the compute server 120A evicts the private process 245. For example, the compute server 120A can evict or discard the private process 245 when the compute server 120A requires memory for other purposes (e.g., in a least recently used fashion), when the worker script being run in the private process 245 is not being used (e.g., no requests for the worker script for longer than an amount of time that triggers a garbage collection process), etc.

Although FIG. 2 shows a single worker script (worker script 135) being moved from being executed within the worker process 215 to being executed in the private process 245 (e.g., as a suspicious worker script 137), in an embodiment a separate private process is created for each worker whose behavior has been determined to be indicative of a potential speculative execution attack. In another embodiment, a single private process may be created and execute at least two workers whose behavior has been determined to be indicative of a potential speculative execution attack.

FIG. 3 is a flow diagram that illustrates exemplary operations for executing third-party code in a distributed cloud computing network according to an embodiment. The operations of FIG. 3 are described with respect to the exemplary embodiment of FIG. 1. However, the operations of FIG. 3 can be performed by different embodiments than those of FIG. 1, and the embodiment described in FIG. 1 can perform operations different than those of FIG. 3. The operations of FIG. 3 will be described with respect to HTTP/S request and responses. But, the operations of FIG. 3 can be performed with different types of requests and responses.

At operation 305, a first one of multiple compute servers of a distributed cloud computing network receives a request that triggers execution of a first code piece. The request may be received by a client device and be an HTTP or HTTPS request, for example, destined for a zone. The first code piece is one of multiple code pieces that can be executed by the first compute server. The first code piece may be a third-party code piece (written and/or provided by an owner or operator of the zone). The first code piece can be, for example, a piece of JavaScript or other dynamically-typed language, a WASM compiled piece of code, or other compiled code. The first compute server may determine that the request triggers execution of the first code piece by matching the zone to a predetermined matching pattern that associates the first code piece to the predetermined matching pattern. For instance, the compute server may analyze the request URL against a URL matching pattern configured for the zone to determine if a code piece is to be executed and if so, which code piece. With respect to FIG. 1, the compute server 120A receives a request from the client device 120A that triggers execution of a first code piece. To provide an example, the HTTP request is an HTTP GET method for “example.com”, which matches a predefined matching pattern to apply to a code piece with a first identifier.

The distributed cloud computing network includes multiple compute servers including the first compute server. The compute servers are geographically distributed. There may be hundreds or more compute servers. In an embodiment, each of the compute servers are anycasted to a same IP address, and the first compute server receives the request in operation 305 because the first compute server is the closest one of the compute servers to the client device making the request as determined by an anycast implementation. For instance, a DNS request for an address record of the zone “example.com” returns an anycasted IP address of the compute servers. Alternatively, the first compute server may receive the request as a result of a geographical load balancer routing the request to it.

In an embodiment, each of the compute servers of the distributed cloud computing network includes the first code piece. The first code piece can be deployed to each of the compute servers without the owner or operator of the zone selecting which of the compute servers are to receive and potentially run the first code piece. In an alternative embodiment, the owner or operator of the zone selects which of the compute servers are to receive and potentially run the first piece.

Next, at operation 310, a single process of the first compute server executes the first code piece in a first isolated execution environment. Multiple other code pieces are being executed by the single process in multiple other isolated execution environments respectively. Code in one isolated execution environment cannot interfere with code running in a different execution environment despite being in the same process. The code pieces may be triggered to execute for different zones and different customers. The isolated execution environment is managed in user-space rather than by an operating system. Data cannot be shared or moved across isolated execution environments (each isolated execution environment has a completely separate state). The single process on the compute server can run multiple isolated execution environments (e.g., hundreds to thousands) seamlessly switching between them. Each isolated execution environment uses its own mechanism to ensure safe memory access, such as preventing the code from requesting access to arbitrary memory (restricting its use to the objects it has been given) and/or interpreting pointers within a private address space that is a subset of an overall address space. In a specific implementation, the first code piece is run in an isolate of the V8 JavaScript engine.

In an embodiment, the first code piece is loaded and executed on-demand (when and only if it is triggered to execute). That is, first code piece will not be loaded into memory until and unless a request triggers it for execution. The first code piece stays loaded in memory (at least for a certain amount of time) between requests so that the first code piece can be used to respond quickly if a new request is received that triggers execution of that same first code piece. An eviction process may evict code pieces in a least recently used fashion. If the first code piece is not already loaded in memory and/or an isolated execution environment is not running for to execute the first code piece, an isolated execution environment is created, and/or the first code piece is loaded to memory. Depending on the complexity of the first code piece, loading the first code piece may take approximately tens to hundreds of milliseconds of CPU time.

In an embodiment, a timer that can be used to return the current time is prevented or suspended from being executed during execution of the first code piece in a first isolated execution environment. For example, a date function call (e.g., Date.now( )) can typically be used to return the current time. To combat speculative execution attacks, such function calls can be suspended during code execution so if the Date.now( ) function is called before and after executing a request that includes third-party code, the same value (e.g., the time when the request was received) is returned.

Concurrency can also typically be used to create implicit timers. For example, by performing a concurrent task at the same time as running code in order to compare the concurrent task's runtime vs. the code execution time. To address this issue, the execution of the first code piece to process a request is restricted to be performed serially (e.g., performed in a strict order using a single CPU core). Thus, the processing of requests by the first code piece is restricted to be done serially without concurrency. For example, if the executing first code piece calls another instance of the first code piece to execute, the callee first code piece may be prevented from running concurrently with the caller first code piece.

The limiting of access to timers and/or concurrency makes a speculative execution attack much longer to carry out. For example, instead of having access to local timing, the attack would need to use remote timing. For example, a client of a malicious user can send a request to the third-party code piece and calculate how long until a reply is received. Of course, the request and reply is over the internet so there is a certain amount of noise that is introduced into the timing. A successful speculative execution attack needs to amplify itself until the point where the difference between a one bit and a zero bit is larger than the noise window. This noise therefore lowers the bandwidth of the attack and slows the attack down. The slowing down of the attack may allow for further mitigation techniques described herein such as determining whether a third-party code piece exhibits behaviors indicative of a potential speculative execution attack code, and if so, isolating the execution of that third-party code piece in a sandboxed process.

Executing the first code piece can take many actions depending on the instructions of the first code piece, including actions to improve performance, enhance security, and/or increase reliability. As an example for improving performance, the first code piece can perform the following: use custom logic to decide which if the request is cacheable at the compute server, and canonicalize the requests to improve cache hit rate; expand HTML templates directly on the compute server, fetching only dynamic content from the origin server; respond to stateless requests directly from the compute server without contacting the origin server; and/or split one request into multiple parallel requests to different servers, then combine the responses into a single response to the client. As examples for enhancing security, the first code piece can perform the following: implement custom security rules and filter; and/or implement custom authentication and authorization mechanism. As examples for increasing reliability, the first code piece can perform the following: deploy fast fixes to the website without having to update the code on the origin server; implement custom load balancing and failover logic; and respond dynamically when the origin server is unreachable.

The execution of the first code piece may cause a subrequest to be generated. A subrequest is an additional request such as an additional HTTP request. The subrequest can be destined for the origin server of the zone or can be destined to a different server on the internet. If the subrequest is for the zone, the first compute server is configured to prevent the subrequest from looping back to the same first piece of code. Instead, the first compute server transmits the subrequest to the origin server for processing.

If the subrequest is for a different zone that handled by the first compute server (e.g., a DNS request for an address record of the different zone returns an anycasted IP address of the compute servers), the subrequest can be processed by the first compute server directly (without the subrequest being transmitted to another compute server, for example). Processing of this subrequest may trigger a different code piece to be executed. If the subrequest is for a different zone that is not handled by the first compute server (e.g., a DNS request for an address record of the different zone does not return an IP address of the first compute server), the compute server transmits the subrequest to that different server. In an embodiment, a code piece is limited to a predefined number of subrequests. A header stores a number that counts the number of subrequests and if it exceeds the limit, the subrequest will not be processed.

Next, at operation 315, the first compute server generates a response to the request based at least in part on the executed first code piece. The response may be an HTTP response, for example. The content of the response depends on the execution of the first code piece. In an embodiment, the execution of the first code piece itself returns an HTTP response. The first code piece can be written to respond to the request directly (with no subrequests). Alternatively, the first code piece can be written to make one or more subrequests and generate the response with the results of the subrequest(s). Next, at operation 320, the first compute server transmits the generated response to the requesting client device.

FIG. 4 is a flow diagram that illustrates exemplary operations for monitoring third-party code executing in a distributed cloud computing network according to an embodiment. The operations of FIG. 4 are described with respect to the exemplary embodiment of FIGS. 1 and 2. However, the operations of FIG. 4 can be performed by different embodiments than those of FIGS. 1 and 2, and the embodiment described in FIGS. 1 and 2 can perform operations different than those of FIG. 4. The operations of FIG. 4 will be described with respect to HTTP/S request and responses. But, the operations of FIG. 4 can be performed with different types of requests and responses.

At operation 405, a monitor (e.g., the monitor 225) of a first process (e.g., the worker process 215) in a first compute server (e.g., the compute server 120A) monitors a behavior of an executing third-party code piece (e.g., the worker script 135), where the third-party code piece is executing in a first isolated execution environment of the first process (e.g., the isolated execution environment 130A).

In an embodiment, the first compute server of multiple compute servers of a distributed cloud computing network receives a request that triggers the execution of the third-party code piece by the first process. With respect to FIG. 2, the gateway 210 receives the request. The request may be received from a client device and be an HTTP or HTTPS request, for example, destined for a zone. The third-party code piece is one of multiple code pieces that can be executed by the first compute server. In an embodiment, the third-party code piece is written and/or provided by an owner or operator of the zone. The third-party code piece can be, for example, a piece of JavaScript or other dynamically-typed language, a WASM compiled piece of code, or other compiled code. The first compute server may determine that the request triggers execution of the third-party code piece by matching the zone to a predetermined matching pattern that associates the third-party code piece to the predetermined matching pattern. For instance, the compute server may analyze the request URL against a URL matching pattern configured for the zone to determine if a code piece is to be executed and if so, which code piece. With respect to FIG. 2, the compute server 120A receives a request from the client device 120A that triggers execution of a third-party code piece. To provide an example, the HTTP request is an HTTP GET method for “example.com”, which matches a predefined matching pattern to apply to a code piece with a first identifier.

The distributed cloud computing network includes multiple compute servers including the first compute server. The compute servers are geographically distributed. There may be hundreds or more compute servers. In an embodiment, each of the compute servers are anycasted to a same IP address, and the first compute server receives the request in operation 405 because the first compute server is the closest one of the compute servers to the client device making the request as determined by an anycast implementation. For instance, a DNS request for an address record of the zone “example.com” returns an anycasted IP address of the compute servers. Alternatively, the first compute server may receive the request as a result of a geographical load balancer routing the request to it.

In an embodiment, each of the compute servers of the distributed cloud computing network includes the third-party code piece. The third-party code piece can be deployed to each of the compute servers without the owner or operator of the zone selecting which of the compute servers are to receive and potentially run the third-party code piece. In an alternative embodiment, the owner or operator of the zone selects which of the compute servers are to receive and potentially run the third-party piece.

In an embodiment, multiple other code pieces are being executed by the first process in multiple other isolated execution environments respectively. Code in one isolated execution environment cannot interfere with code running in a different execution environment despite being in the same process. The code pieces may be triggered to execute for different zones and different customers. The isolated execution environment is managed in user-space rather than by an operating system. Data cannot be shared or moved across isolated execution environments (each isolated execution environment has a completely separate state). The first process on the compute server can run multiple isolated execution environments (e.g., hundreds to thousands) seamlessly switching between them. Each isolated execution environment uses its own mechanism to ensure safe memory access, such as preventing the code from requesting access to arbitrary memory (restricting its use to the objects it has been given) and/or interpreting pointers within a private address space that is a subset of an overall address space. In a specific implementation, the third-party code piece is run in an isolate of the V8 JavaScript engine.

In an embodiment, the third-party code piece is loaded and executed on-demand (when and only if it is triggered to execute). That is, third-party code piece will not be loaded into memory until and unless a request triggers it for execution. The third-party code piece stays loaded in memory (at least for a certain amount of time) between requests so that the third-party code piece can be used to respond quickly if a new request is received that triggers execution of that same third-party code piece. An eviction process may evict code pieces in a least recently used fashion. If the third-party code piece is not already loaded in memory and/or an isolated execution environment is not running for to execute the third-party code piece, an isolated execution environment is created, and/or the third-party code piece is loaded to memory. Depending on the complexity of the first code piece, loading the first code piece may take approximately tens to hundreds of milliseconds of CPU time.

Executing the third-party code piece can take many actions depending on the instructions of the third-party code piece, including actions to improve performance, enhance security, and/or increase reliability. As an example for improving performance, the third-party code piece can perform the following: use custom logic to decide which if the request is cacheable at the compute server, and canonicalize the requests to improve cache hit rate; expand HTML templates directly on the compute server, fetching only dynamic content from the origin server; respond to stateless requests directly from the compute server without contacting the origin server; and/or split one request into multiple parallel requests to different servers, then combine the responses into a single response to the client. As examples for enhancing security, the third-party code piece can perform the following: implement custom security rules and filter; and/or implement custom authentication and authorization mechanism. As examples for increasing reliability, the third-party code piece can perform the following: deploy fast fixes to the website without having to update the code on the origin server; implement custom load balancing and failover logic; and respond dynamically when the origin server is unreachable.

The execution of the third-party code piece may cause a subrequest to be generated. A subrequest is an additional request such as an additional HTTP request. A subrequest may identify the third-party code piece that generated the subrequest (e.g., it may include the identifier of the third-party code piece). The subrequest can be destined for the origin server of the zone or can be destined to a different server on the internet. If the subrequest is for the zone, the first compute server is configured to prevent the subrequest from looping back to the same first piece of code. Instead, the first compute server transmits the subrequest to the origin server for processing. In an embodiment, instead of the request being received from an external client device, the request could be received as a subrequest sent by a third-party code piece.

If the subrequest is for a different zone that handled by the first compute server (e.g., a DNS request for an address record of the different zone returns an anycasted IP address of the compute servers), the subrequest can be processed by the first compute server directly (without the subrequest being transmitted to another compute server, for example). Processing of this subrequest may trigger a different code piece to be executed. If the subrequest is for a different zone that is not handled by the first compute server (e.g., a DNS request for an address record of the different zone does not return an IP address of the first compute server), the compute server transmits the subrequest to that different server. In an embodiment, a code piece is limited to a predefined number of subrequests. A header stores a number that counts the number of subrequests and if it exceeds the limit, the subrequest will not be processed.

At operation 410, the monitor 225 determines whether the behavior of the executing third-party code is indicative of a potential speculative execution attack. Behaviors indicative of a potential speculative execution attack can include a worker script exhibiting a high cache miss rate (e.g., a cache miss rate higher than an established or defined threshold value), a worker script utilizing a large amount of CPU time for each request triggering execution of the worker script (e.g., an amount of CPU time exceeding an established or defined threshold value), etc.

In an embodiment, determining whether the behavior of the executing third-party code piece is indicative of a potential speculative execution attack is based on the evaluation of a plurality of requests triggering execution of the same third-party code. For example, the behavior of the executing third-party code piece can be considered indicative of a potential speculative execution attack when the average cache miss rate for a plurality of requests is above a threshold value. In another example, if some defined percentage of requests are over a defined threshold of CPU time within a certain period of time (measured by a number of requests), it can be indicative of a potential speculative execution attack. In such examples, the monitor 225 can maintain a history of measurements from the execution of the third-party code piece for multiple requests.

If the behavior of the executing third-party code piece is not indicative of a potential speculative execution attack, then operations move to operation 415. If the behavior of the executing third-party code piece is indicative of a potential speculative execution attack, then operations move to operation 420.

At operation 415, when the monitor 225 determines that the executing third-party code piece is not indicative of a potential speculative execution attack, the gateway 210 waits to receive additional requests that trigger execution of the third-party code piece. The operations then process to operation 405 to monitor the behavior of the third-party code piece executing in response to the subsequent request.

At operation 420, the monitor 225 flags, marks, or otherwise indicates, that the third-party code piece has exhibited behavior indicative of a potential speculative execution attack. Flagging the third-party code piece as exhibiting behavior indicative of a potential speculative execution attack indicates that any subsequent requests should be handled by a separate process from the first process, such as the private process 245 (e.g., a child process of the first process) for execution.

FIG. 5 is a flow diagram that illustrates exemplary operations for executing third-party code in a distributed cloud computing network according to an embodiment. The operations of FIG. 5 are described with respect to the exemplary embodiment of FIGS. 1 and 2. However, the operations of FIG. 5 can be performed by different embodiments than those of FIGS. 1 and 2, and the embodiment described in FIGS. 1 and 2 can perform operations different than those of FIG. 5. The operations of FIG. 5 will be described with respect to HTTP/S request and responses. But, the operations of FIG. 5 can be performed with different types of requests and responses.

At operation 505, a first one of multiple compute servers of a distributed cloud computing network receives a request. The request may be received by a client device and be an HTTP or HTTPS request, for example, destined for a zone. In an embodiment, the compute server receives the request out of the multiple compute servers because it has been determined to be the closest to the requesting client device as determined by an anycast implementation. Instead of the request being received from an external client device, the request could be received as a subrequest sent by a third-party code piece. If a subrequest, the subrequest may identify the third-party code piece that generated the subrequest (e.g., it may include the identifier of the third-party code piece).

With respect to FIG. 2, the gateway 210 receives the request. Next at operation 510, the gateway 210 determines whether the request triggers execution of a third-party code piece. The gateway 210 may determine that the request triggers execution of a third-party code piece by matching the zone to a predetermined matching pattern that associates the third-party code piece to the predetermined matching pattern. For instance, the gateway 210 may analyze the request URL against a URL matching pattern configured for the zone to determine if a third-party code piece is to be executed and if so, which third-party code piece. If the request does not trigger execution of a third-party code piece, then operations move to operation 520. If the request triggers execution of a third-party code piece, then operations move to operation 512.

The gateway 210 is configured to prevent a subrequest from looping back to the same third-party code piece. Thus, at operation 512, the gateway 210 determines if the request is from a subrequest made from execution of a third-party code piece and would trigger execution of the same third-party code piece. For example, the gateway 210 determines whether the request identifies the third-party code piece as generating the request and determines whether the request triggers execution of the same third-party code piece using the predetermined matching pattern. If the request is a subrequest and would trigger execution of the same third-party code piece, then flow moves to operation 515. Otherwise, flow moves to operation 520. If a third-party code piece is to be executed, the gateway 210 annotates the request with the identifier of the third-party code piece to be executed as determined by the script mapping table and forwards the request to the worker process 215.

At operation 520, the request is processed without executing a third-party code piece. The request may be processed differently depending on the destination of the request and the requester. For instance, if the request is for a web page from a client device, the gateway 210 may access the web page and/or the resource(s) of the web page from the cache 220 (if available) and/or from the origin server of the domain of the web page. If the request is from a third-party code piece (a subrequest), the gateway 210 processes the request and response and returns the data to the third-party code piece for further processing. After processing the request, flow moves to operation 540 for generating the response.

At operation 515, the worker process 215 determines whether that third-party code piece has been determined as exhibiting behavior that is indicative of a potential speculative execution attack. For example, the worker process 215 checks whether the identified third-party code piece has been flagged or otherwise indicated as exhibiting behavior indicative of a potential speculative execution attack (e.g., as a result of the operations of FIG. 4). If the third-party code piece has been determined to be exhibiting behavior that is indicative of a potential speculative execution attack, then operations move to operation 610 of FIG. 6. If the third-party code piece has not been determined to be exhibiting behavior that is indicative of a potential speculative execution attack, then operations move to operation 525.

In an embodiment, third-party code pieces stay loaded in memory between requests so that they can be used to respond quickly when a new request that triggers the third-party code piece arrives. A third-party code piece may be run separately per zone. Each different zone running the same third-party code piece may be put in a separate context (have their own global object) within the same isolated execution environment running that third-party code piece so each zone as its own isolated global state. This prevents two different zones from interfering with the states of each other while allowing the contexts to share resources. At operation 525, the worker process 215 determines whether the third-party code piece is loaded into memory. If the third-party code piece is loaded (e.g., if there is already an isolated execution environment running for the third-party code piece for the zone), the third-party code piece is executed in operation 535. If the third-party code piece is not loaded, then at operation 530 the third-party code piece is loaded and then the third-party code piece is executed in operation 535.

In an embodiment, a timer that can be used to return the current time is prevented or suspended from being executed during execution of the third-party code piece. For example, a date function call (e.g., Date.now( )) can typically be used to return the current time. To combat speculative execution attacks, such function calls can be suspended during code execution so if the Date.now( ) function is called before and after executing a request that includes third-party code, the same value (e.g., the time when the request was received) is returned.

Concurrency can also typically be used to create implicit timers. For example, by performing a concurrent task at the same time as running code in order to compare the concurrent task's runtime vs. the code execution time. To address this issue, the execution of the first code piece to process a request is restricted to be performed serially (e.g., performed in a strict order using a single CPU core). Thus, the processing of requests by the third-party code piece is restricted to be done serially without concurrency. For example, if the third-party code piece calls another instance of the third-party code piece to execute, the callee third-party code piece may be prevented from running concurrently with the caller third-party code piece.

The executed third-party code piece can take various actions depending on how the code is written. The third-party code piece may make one or more subrequests that can be destined for an origin server of the zone of the third-party code piece or to other destinations on the internet. As illustrated in FIG. 5, if executing the third-party code piece in operation 535 causes a subrequest to be generated, the subrequest is received at the gateway 210 in operation 505. The subrequest identifies the third-party code piece that generated the subrequest. The result of the subrequest may be processed by the code piece.

At operation 540, a response is generated. The response may be an HTTP response, for example. If a third-party code piece was executed, the content of the response depends on the execution of that third-party code piece. The response is sent to the requesting client.

FIG. 6 is a flow diagram that illustrates exemplary operations for executing third-party code in a private process in a distributed cloud computing network according to an embodiment. The operations of FIG. 6 are described with respect to the exemplary embodiment of FIGS. 1 and 2. However, the operations of FIG. 6 can be performed by different embodiments than those of FIGS. 1 and 2, and the embodiment described in FIGS. 1 and 2 can perform operations different than those of FIG. 6. The operations of FIG. 6 will be described with respect to HTTP/S request and responses. But, the operations of FIG. 6 can be performed with different types of requests and responses.

At operation 610, the first process of the first compute server (e.g., the worker process 215) determines whether a second process (e.g., the private process 245) for executing the third-party code piece exists in the first compute server (e.g., the compute server 120A). If the second process for executing the third-party code piece exists in the first compute server, then operations move to operation 630 for execution of the third-party code piece. If the second process for executing the third-party code piece does not exist in the first compute server, then operations move to operation 615.

At operation 615, when the first process of the first compute server determines that a second process for executing the third-party code piece does not exist in the first compute server, the first process generates a second process, where the second process is separate from the first process. The second process may be a sandbox configured to only execute the third-party code piece. In an embodiment, the second process is a child process of the first process. For example, private process 245 can be a child process of worker process 215. As part of the parent process-child process relationship, the worker process 215 can send the third-party code piece for loading onto the private process 245, and the private process 245 can direct any subrequests to the worker process 215 for transmission to the gateway 210.

In an embodiment where the request that was initially determined to exhibit behaviors indicative of a potential speculative execution attack is still executing when the second process is generated (in response to a subsequent request), the request is allowed to be completed by the first process. However, in another embodiment, the request that was initially determined to exhibit behaviors indicative of a potential speculative execution attack is rescheduled to the second process for completion.

At operation 620, the first process of the first compute server instantiates an isolated execution environment within the second process for executing the third-party code piece. The isolated execution environment may be like the other isolated execution environments. For example, code in one isolated execution environment cannot interfere with code running in a different execution environment. The isolated execution environment is managed in user-space rather than by an operating system. Data cannot be shared or moved across isolated execution environments (each isolated execution environment has a completely separate state). The isolated execution environment uses its own mechanism to ensure safe memory access, such as preventing the code from requesting access to arbitrary memory (restricting its use to the objects it has been given) and/or interpreting pointers within a private address space that is a subset of an overall address space. In a specific implementation, the isolated execution environment is an isolate of the V8 JavaScript engine.

At operation 625, the first process of the first compute server loads the third-party code piece in the single isolated execution environment of the second process. For example, the worker process 215 loads the worker script 135 in the isolated execution environment 130Z as a suspicious worker script 137. By loading the third-party code piece into the single isolated execution environment of the second process, the third-party code piece can execute, but is unable to attack other processes on the first compute server. In an embodiment, the first process sends the third-party code piece to the second process. In another embodiment, the second process loads the third-party code piece from a data store (e.g., data store 240).

At operation 630, after the third-party code piece has been loaded into the single isolated execution environment, the second process executes the third-party code piece in response to the request. In an embodiment, a timer that can be used to return the current time is prevented or suspended from being executed during execution of the third-party code piece. For example, a date function call (e.g., Date.now( )) can typically be used to return the current time. To combat speculative execution attacks, such function calls can be suspended during code execution so if the Date.now( ) function is called before and after executing a request that includes third-party code, the same value (e.g., the time when the request was received) is returned. Concurrency can also typically be used to create implicit timers. For example, by performing a concurrent task at the same time as running code in order to compare the concurrent task's runtime vs. the code execution time. To address this issue, the execution of the first code piece to process a request is restricted to be performed serially (e.g., performed in a strict order using a single CPU core). Thus, the processing of requests by the third-party code piece is restricted to be done serially without concurrency. For example, if the third-party code piece calls another instance of the third-party code piece to execute, the callee third-party code piece may be prevented from running concurrently with the caller third-party code piece.

At operation 635, the first compute server generates a response to the request based at least in part on the executed third-party code piece. The response may be an HTTP response, for example. The content of the response depends on the execution of the third-party code piece. In an embodiment, the execution of the third-party code piece itself returns an HTTP response. The third-party code piece can be written to respond to the request directly (with no subrequests). Alternatively, the third-party code piece can be written to make one or more subrequests and generate the response with the results of the subrequest(s). For example, the one or more subrequests can trigger execution of a second one of a plurality of third-party code pieces. In such embodiments, any subrequests are sent from the second process to the first process for transmission to the gateway (e.g., gateway 210). This is in contrast to subrequests generated when code is executed in the first process, where the subrequests can invoke additional processes to handle the request. The second process is a sandbox created solely for executing the third-party code piece. By operating in this manner, the third-party code piece executing in the isolated execution environment of the second process can be isolated and prevented from accessing additional resources of the first compute server.

After generating the response to the request, the first compute server transmits the generated response to the requesting client device. In an embodiment, the second process sends the generated response to the first process for transmission to the requesting client device.

Executing third-party code pieces that exhibit behavior indicative of a potential speculative execution attack in an isolated execution environment in a sandboxed process improves the performance as compared with executing the same third-party code pieces in a non-sandboxed process. The execution of the third-party code piece in the sandboxed process prevents the sandboxed process from interacting with any other process or storage within the system, thereby mitigating the risk of speculative execution attacks.

Further, despite being rescheduled to the sandboxed private process, the third-party code piece operates in the same manner as it would if it were not rescheduled, and thus had been executed in the main worker process. Thus, even if the determination of the third-party code piece as exhibiting behavior indicative of a potential speculative execution attack was a false positive, the execution of the third-party code piece in the sandboxed private process does not negatively impact the code execution. Further, malicious third-party code pieces that are flagged as potentially suspicious will be isolated from the other third-party code pieces thereby mitigating speculative execution attacks.

Running third-party code pieces in isolated execution environments improves the performance as compared with running code using a virtual machine or a container. Unlike other computing platforms that spin up a containerized process for processing code that can take as much as ten seconds, an isolated execution environment can be started in as little as 5 ms because a new process does not need to be started. Thus, the overhead of running an isolated execution environment is small as compared to other computing platforms. Further, since the third-party code can be run in a single process, there are no expensive context switches like experienced with other computing platforms which means that more time is spent actually running the code instead of performing context switches. FIG. 7 is a conceptual figure that shows a conceptual relationship between third-party code and the process overhead of the isolated execution environment model that is described in embodiments herein. FIG. 8 is a conceptual figure that shows a conceptual relationship between code and the process overhead of a virtual machine model. As seen in FIGS. 7 and 8, the process overhead of the virtual machine model is experienced for each different code piece (a new process has to be started for each different code piece), whereas the process overhead of the isolated execution environment model is experienced once.

FIG. 9 illustrates a block diagram for an exemplary data processing system 900 that may be used in some embodiments. Data processing system 900 includes one or more processors 905 and connected system components (e.g., multiple connected chips). One or more such data processing systems 900 may be utilized to implement the embodiments and operations described with respect to the compute server, control server, or other electronic device.

The data processing system 900 is an electronic device which stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine-readable media (also called computer-readable media), such as machine-readable storage media 910 (e.g., magnetic disks, optical disks, read only memory (ROM), flash memory devices, phase change memory) and machine-readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals—such as carrier waves, infrared signals), which is coupled to the processor(s) 905. For example, the depicted machine-readable storage media 910 may store program code 930 that, when executed by the processor(s) 905, causes the data processing system 900 to execute the gateway 210, the worker process 215, and/or the private process 245.

The data processing system 900 also includes one or more input or output (“I/O”) devices and interfaces 925, which are provided to allow a user to provide input to, receive output from, and otherwise transfer data to and from the system. These I/O devices 925 may include a mouse, keypad, keyboard, a touch panel or a multi-touch input panel, camera, frame grabber, optical scanner, an audio input/output subsystem (which may include a microphone and/or a speaker), other known I/O devices or a combination of such I/O devices. The I/O devices and interfaces 925 may include wireless transceivers, such as an IEEE 802.11 transceiver, an infrared transceiver, a Bluetooth transceiver, a wireless cellular telephony transceiver (e.g., 2G, 3G, 4G, 5G), an NFC transceiver, or another wireless protocol to connect the data processing system 900 with another device, external component, or a network and receive stored instructions, data, tokens, etc. For instance, a wired or wireless transceiver may transmit and receive messages to and from the compute server as described herein.

Additional components, not shown, may also be part of the system 900, and, in certain embodiments, fewer components than that shown in FIG. 9 may also be used in a data processing system 900. One or more buses may be used to interconnect the various components shown in FIG. 9.

Thus, an electronic device (e.g., a computer or a mobile client device) includes hardware and software, such as a set of one or more processors coupled to one or more machine-readable storage media to store code for execution on the set of processors and/or to store data. For instance, an electronic device may include non-volatile memory containing the code since the non-volatile memory can persist the code even when the electronic device is turned off, and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is copied from the slower non-volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device. Typical electronic devices also include a set or one or more physical network interface(s) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices. One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.

The techniques shown in the figures can be implemented using code and data stored and executed on one or more computing devices (e.g., client device, compute server, DNS server, control server, origin server, etc.). Such computing devices store and communicate (internally and/or with other computing devices over a network) code and data using machine-readable media, such as non-transitory machine-readable storage media (e.g., magnetic disks; optical disks; random access memory; read only memory; flash memory devices; phase-change memory) and machine-readable communication media (e.g., electrical, optical, acoustical or other form of propagated signals—such as carrier waves, infrared signals, digital signals, etc.). In addition, such computing devices typically include a set of one or more processors coupled to one or more other components, such as one or more storage devices, user input/output devices (e.g., a keyboard, a touchscreen, and/or a display), and network connections. The coupling of the set of processors and other components is typically through one or more busses and bridges (also termed as bus controllers). The storage device and signals carrying the network traffic respectively represent one or more machine-readable storage media and machine-readable communication media. Thus, the storage device of a given computing device typically stores code and/or data for execution on the set of one or more processors of that computing device. Of course, one or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.

In the preceding description, numerous specific details are set forth. However, it is understood that embodiments may be practiced without these specific details. In other instances, well-known circuits, structures and techniques have not been shown in detail in order not to obscure the understanding of this description. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.

References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

While the flow diagrams in the figures show a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).

While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting. 

What is claimed is:
 1. A method, comprising: monitoring a behavior of a third-party code piece executing in a first isolated execution environment of a plurality of isolated execution environments of a first process in a first compute server, wherein the first compute server is one of a plurality of compute servers that are part of a distributed cloud computing network; determining that the behavior of the executing third-party code piece is indicative of a potential speculative execution attack; receiving, at the first compute server of the plurality of compute servers from a client device, a request that triggers execution of the third-party code piece whose behavior has been determined to be indicative of the potential speculative execution attack; generating, in response to the request, a second process of the first compute server of the plurality of compute servers, wherein the second process is separate from the first process; instantiating a single isolated execution environment within the second process for executing the third-party code piece; loading the third-party code piece in the single isolated execution environment; executing, by the second process, the third-party code piece, wherein the third-party code piece is run in the single isolated execution environment within the second process; and transmitting, to the client device, a response to the request based at least in part on the executed third-party code piece.
 2. The method of claim 1, wherein the second process is configured for executing only the third-party code piece.
 3. The method of claim 1, wherein the second process is a child process of the first process.
 4. The method of claim 1, further comprising: generating, by the second process, the response to the request based at least in part on the executed third-party code piece; and sending, by the second process, the response to the request to the first process.
 5. The method of claim 1, wherein executing the third-party code piece causes a subrequest to be generated that triggers execution of a second one of a plurality of third-party code pieces, and wherein the subrequest is sent to the first process for transmission to a gateway for determining the execution of the second one of the plurality of third-party code pieces.
 6. The method of claim 1, wherein loading the third-party code piece in the single isolated execution environment comprises: receiving the third-party code piece from the first process.
 7. The method of claim 1, wherein determining that the behavior of the executing third-party code piece is indicative of the potential speculative execution attack comprises: setting an indicator for the third-party code piece to indicate that the third-party code piece is exhibiting behavior indicative of the potential speculative execution attack comprises.
 8. A non-transitory machine-readable storage medium that provides instructions that, when executed by a processor, cause said processor to perform operations comprising: monitoring a behavior of a third-party code piece executing in a first isolated execution environment of a plurality of isolated execution environments of a first process in a first compute server, wherein the first compute server is one of a plurality of compute servers that are part of a distributed cloud computing network; determining that the behavior of the executing third-party code piece is indicative of a potential speculative execution attack; receiving, at the first compute server of the plurality of compute servers from a client device, a request that triggers execution of the third-party code piece whose behavior has been determined to be indicative of the potential speculative execution attack; generating, in response to the request, a second process of the first compute server of the plurality of compute servers, wherein the second process is separate from the first process; instantiating a single isolated execution environment within the second process for executing the third-party code piece; loading the third-party code piece in the single isolated execution environment; executing, by the second process, the third-party code piece, wherein the third-party code piece is run in the single isolated execution environment within the second process; and transmitting, to the client device, a response to the request based at least in part on the executed third-party code piece.
 9. The non-transitory machine-readable storage medium of claim 8, wherein the second process is configured for executing only the third-party code piece.
 10. The non-transitory machine-readable storage medium of claim 8, wherein the second process is a child process of the first process.
 11. The non-transitory machine-readable storage medium of claim 8, further comprising: generating, by the second process, the response to the request based at least in part on the executed third-party code piece; and sending, by the second process, the response to the request to the first process.
 12. The non-transitory machine-readable storage medium of claim 8, wherein executing the third-party code piece causes a subrequest to be generated that triggers execution of a second one of a plurality of third-party code pieces, and wherein the subrequest is sent to the first process for transmission to a gateway for determining the execution of the second one of the plurality of third-party code pieces.
 13. The non-transitory machine-readable storage medium of claim 8, wherein loading the third-party code piece in the single isolated execution environment comprises: receiving the third-party code piece from the first process.
 14. The non-transitory machine-readable storage medium of claim 8, wherein determining that the behavior of the executing third-party code piece is indicative of the potential speculative execution attack comprises: setting an indicator for the third-party code piece to indicate that the third-party code piece is exhibiting behavior indicative of the potential speculative execution attack comprises.
 15. An apparatus, comprising: a processor; a non-transitory machine-readable storage medium coupled with the processor that stores instructions that, when executed by the processor, causes said processor to perform the following: monitor a behavior of a third-party code piece executing in a first isolated execution environment of a plurality of isolated execution environments of a first process in a first compute server, wherein the first compute server is one of a plurality of compute servers that are part of a distributed cloud computing network; determine that the behavior of the executing third-party code piece is indicative of a potential speculative execution attack; receive, at the first compute server of the plurality of compute servers from a client device, a request that triggers execution of the third-party code piece whose behavior has been determined to be indicative of the potential speculative execution attack; generate, in response to the request, a second process of the first compute server of the plurality of compute servers, wherein the second process is separate from the first process; instantiate a single isolated execution environment within the second process for executing the third-party code piece; load the third-party code piece in the single isolated execution environment; execute, by the second process, the third-party code piece, wherein the third-party code piece is run in the single isolated execution environment within the second process, and transmit, to the client device, a response to the request based at least in part on the executed third-party code piece.
 16. The apparatus of claim 15, wherein the second process is configured for executing only the third-party code piece.
 17. The apparatus of claim 15, wherein the second process is a child process of the first process.
 18. The apparatus of claim 15, wherein the instructions further cause said processor to perform the following: generate, by the second process, the response to the request based at least in part on the executed third-party code piece; and send, by the second process, the response to the request to the first process.
 19. The apparatus of claim 15, wherein executing the third-party code piece causes a subrequest to be generated that triggers execution of a second one of a plurality of third-party code pieces, and wherein the subrequest is sent to the first process for transmission to a gateway for determining the execution of the second one of the plurality of third-party code pieces.
 20. The apparatus of claim 15, wherein loading the third-party code piece in the single isolated execution environment comprises: receiving the third-party code piece from the first process.
 21. The apparatus of claim 15, wherein determining that the behavior of the executing third-party code piece is indicative of the potential speculative execution attack comprises: setting an indicator for the third-party code piece to indicate that the third-party code piece is exhibiting behavior indicative of the potential speculative execution attack comprises. 